Cisco Secure Access Control System XML External Entity Vulnerability

A vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system.

The vulnerability is due to improper handling of the XML External Entity (XXE) when parsing an XML file. An attacker could exploit this vulnerability by submitting a crafted XML header to the affected device web framework.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1”]